Quantum Key Distribution Method and Communication Apparatus

ABSTRACT

In a quantum key distributing method of the present invention, a communication apparatus on a reception side performs error correction using parity check matrixes for an LDPC code that have an extremely high error correction ability. In the quantum key distributing method of the present invention, a cyclic code syndrome generated by a communication apparatus on a transmission side and an estimated cyclic code syndrome generated based on an estimated word after error correction are compared to perform error detection for the estimated word.

TECHNICAL FIELD

The present invention relates to a quantum key distribution methodcapable of generating a common key, security of which is highlyguaranteed, and more particularly, to a quantum key distribution methodcapable of correcting a data error using an error correction code and acommunication apparatus capable of realizing the quantum keydistribution.

BACKGROUND ART

A conventional quantum cryptograph system is explained below. In recentyears, optical communication is widely used as a high-speedlarge-capacity communication technology. In such an opticalcommunication system, communication is performed according to ON/OFF oflight and a large quantity of photons are transmitted when light is ON.Thus, the optical communication system is not a communication system inwhich a quantum effect is developed directly.

On the other hand, in the quantum cryptograph system, photons are usedas communication media to transmit information of one bit using onephoton such that a quantum effect such as uncertainty principle isdeveloped. In this case, when a wiretapper selects a base at random andmeasures photons without knowing a quantum state such as polarizationand a phase of the photons, the quantum state changes. Therefore, on thereception side, it is possible to recognize, by confirming the change inthe quantum state of the photons, whether transmitted data has beenwiretapped.

FIG. 10 is a schematic of the conventional quantum key distributionusing polarized light. For example, a measuring device, which is capableof identifying polarized light in horizontal and vertical directions,identifies light polarized in the horizontal direction (0°) and lightpolarized in the vertical direction (90°) on a quantum communicationpath correctly. On the other hand, a measuring device, which is capableof identifying polarized light in oblique directions (45° and 135°),identifies light polarized in the 45° direction and 135° direction on aquantum communication path correctly.

In this way, the respective measuring devices can recognize lightpolarized in the defined directions correctly. However, for example,when the measuring device, which is capable of identifying polarizedlight in the horizontal and vertical directions (0° and 90°), measureslight polarized in an oblique direction, the measuring device identifieslight polarized in the horizontal direction and light polarized in thevertical direction at random at a probability of 50 percent,respectively. In other words, when the measuring device that does notcope with identifiable polarization directions is used, it is impossibleto identify a direction in which light is polarized even if a result ofmeasurement by the measuring device is analyzed.

In the conventional quantum key distribution shown in FIG. 10, a senderand a receiver share a key while keeping the key secret from wiretappers(see, for example, Nonpatent Literature 1). Note that the sender and thereceiver can use a public communication path other than the quantumcommunication path.

A procedure for sharing a key is explained. First, the sender generatesa random number sequence (a sequence of 1 and 0: transmission data) anddetermines transmission codes (+: a code corresponding to the measuringdevice capable of identifying light polarized in the horizontal andvertical directions, x: a code corresponding to the measuring devicecapable of identifying light polarized in the oblique directions) atrandom. A polarization direction of light to be transmitted isautomatically determined according to combinations of the random numbersequence and the transmission codes. Light polarized in the horizontaldirection according to a combination of 0 and +, light polarized in thevertical direction according to a combination of 1 and +, lightpolarized in the 45° direction according to a combination of 0 and x,and light polarized in the 135° direction according to a combination of1 and x are transmitted to the quantum communication path, respectively(transmission signals).

The receiver determines reception codes (+: a code corresponding to themeasuring device capable of identifying light polarized in thehorizontal and vertical directions, x: a code corresponding to themeasuring device capable of identifying light polarized in the obliquedirections) at random and measures light on the quantum communicationpath (reception signals). The receiver obtains reception data accordingto combinations of the reception codes and the reception signals. Thereceiver obtains 0, 1, 0, and 1 as reception data according to acombination of the light polarized in the horizontal direction and +, acombination of the light polarized in the vertical direction and +, acombination of the light polarized in the 45° direction and x, and acombination of the light polarized in the 135° direction and x,respectively.

In order to check whether measurement for the receiver has beenperformed by a correct measuring device, the receiver sends thereception codes to the sender thorough the public communication path.The sender, who has received the reception codes, checks whether themeasurement has been performed by a correct measuring device and returnsa result of the check to the receiver through the public communicationpath.

The receiver keeps only the reception data corresponding to thereception signals received by the correct measuring device and disposesof other reception data. At this point, the reception data kept can beshared by the sender and the receiver surely.

The sender and the receiver send a predetermined number of data selectedfrom the shared data to each other through the public communicationpath. Then, the sender and the receiver check whether the reception datacoincide with the data held by the sender and the receiver themselves.For example, if at least one data among the data checked does notcoincide with the data held by the sender and the receiver, the senderand the receiver judge that a wiretapper is present, dispose of theshared data, and repeat the procedure for sharing a key from thebeginning. On the other hand, when all the data checked coincide withthe data held by the sender and the receiver, the sender and thereceiver judge that no wiretapper is present, dispose of the data usedfor the check, and use the remaining shared data as a shared key for thesender and the receiver.

On the other hand, as an application of the conventional quantum keydistribution method, for example, there is a quantum key distributionmethod that is capable of correcting a data error on a transmission path(see, for example, Nonpatent Literature 2).

In this method, to detect a data error, a sender divides transmissiondata into plural blocks and sends a parity for each block on a publiccommunication path. Then, a receiver compares the parity for each blockreceived through the public communication path and a parity of acorresponding block in reception data to check a data error. In thiscase, when there is a different parity, the receiver returns informationindicating a block of the different parity on the public communicationpath. The sender further divides the pertinent block into a former halfblock and a latter half block and returns, for example, a former halfparity on the public communication path (binary search). Thereafter, thesender and the receiver specify a position of an error bit by repeatedlyexecuting the binary search. Finally, the receiver corrects the bit.

Moreover, assuming that a parity is judged as correct because of an evennumber of errors regardless of an error in data, the sender rearrangestransmission data at random (random replacement) to divide thetransmission data into plural blocks and performs the error correctionprocessing with the binary search again. Then, the sender repeatedlyexecutes this error correction processing with the random replacement tothereby correct all the data errors.

Nonpatent Literature 1

Bennett, C. H. and Brassard, G., “Quantum Cryptography”, Public KeyDistribution and Coin Tossing, In Proceedings of IEEE Conference onComputers, System and Signal Processing, Bangalore, India, pp. 175-179(December 1984).

Nonpatent Literature 2

Brassard, G. and Salvail, L., “Secret-Key Reconciliation by PublicDiscussion”, In Advances in Cryptology-EUROCRYPT '93, Lecture Notes inComputer Science 765, pp. 410-423 (1993).

However, an error communication path is not assumed in the conventionalquantum key distribution shown in FIG. 10. Therefore, when there is anerror, the sender and the receiver dispose of the common data (thecommon key) judging that a wiretapping act is performed. This extremelydeteriorates efficiency of generation of a common key depending on atransmission path.

In the quantum key distribution method capable of correcting a dataerror on the transmission path, parities are exchanged an extremelylarge number of times to specify an error bit and the error correctionprocessing by the random replacement is performed for a predeterminednumber of times. Therefore, a great deal of time is consumed for theerror correction processing.

The present invention has been devised in view of the circumstances andit is an object of the present invention to provide a quantum keydistribution method that is capable of generating a common key, securityof which is highly guaranteed, while correcting a data error on atransmission path using an error correcting code having an extremelyhigh property.

DISCLOSURE OF INVENTION

A quantum key distributing method according to one aspect of the presentinvention is for a quantum cryptographic system including acommunication apparatus on a transmission side that transmits, in apredetermined quantum state, a random number sequence forming a basis ofan encryption key to a quantum communication path and a communicationapparatus on a reception side that measures photons on the photoncommunication path. The quantum key distributing method includes a checkmatrix generating step at which the respective communication apparatusesgenerate an identical parity check matrix (a matrix with an element “0”or “1”) (corresponding to steps S1 and S11 according to an embodimentdescribed later); a cyclic code generating step at which thecommunication apparatus on the transmission side generates a cyclic code(CRC: Cyclic Redundancy Check) for error detection (corresponding tostep S2); a transmitting and receiving step at which the communicationapparatus on the reception side holds reception data with probabilityinformation obtained as a result of measuring a light direction with ameasuring device capable of correctly identifying the light directionand the communication apparatus on the transmission side holdstransmission data (a part of the random number sequence) correspondingto the reception data (corresponding to steps S3, S4, S12, and S13); aninformation notifying step at which the communication apparatus on thetransmission side notifies, via a public communication path, thecommunication apparatus on the reception side of error correctioninformation generated based on the parity check matrix and thetransmission data and error detection information generated based on thecyclic code and the transmission data (corresponding to steps S5 andS14); a transmission data estimating step at which the communicationapparatus on the reception side estimates the transmission data based onthe parity check matrix, the reception data with probabilityinformation, the error correction information, and the error detectioninformation (corresponding to step S15); and an encryption keygenerating step at which the respective communication apparatusesdiscard a part of the transmission data according to an amount ofinformation laid open to the public and generate an encryption key usingremaining information (corresponding to steps S6 and S16).

According to the present invention, for example, a data error of sharedinformation is corrected using parity check matrixes for an“Irregular-LDPC code”, which are definite and have stablecharacteristics, error detection for shared information (estimated word)is performed using the cyclic code CRC, and, thereafter, a part of theshared information is discarded according to error correctioninformation laid open to the public.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a diagram of a constitution of a quantum cryptographic systemaccording to the present invention;

FIG. 2 is a flowchart of quantum key distribution;

FIG. 3 is a flowchart of quantum key distribution;

FIG. 4 is a flowchart of a method of forming an “Irregular-LDPC code”based on the finite affine geometry;

FIG. 5 is a diagram of a matrix of a finite affine geometric code AG (2,2²);

FIG. 6 is a diagram of a final weight distribution of columns λ(γ_(i))and a final weight distribution of rows ρ_(u);

FIG. 7 is a diagram of an example of a cyclic code (an n×d matrix);

FIG. 8 is a schematic of a method of generating a syndrome S_(A) and acyclic code syndrome S_(C) of m_(A);

FIG. 9 is a flowchart of a syndrome decoding method according to anembodiment of the present invention; and

FIG. 10 is a diagram of conventional quantum key distribution that usespolarization.

BEST MODE(S) FOR CARRYING OUT THE INVENTION

Exemplary embodiments of a quantum key distribution method and acommunication apparatus according to the present invention are explainedin detail below with reference to the accompanying drawings. Note thatthe present invention is not limited by the embodiments. Quantum keydistribution using polarized light is explained below as an example.However, the present invention is also applicable to, for example,quantum key distribution using a phase, quantum key distribution using afrequency, and the like. There is no specific limitation on what kind ofquantum state is used.

Quantum key distribution is a key distribution system, security of whichis guaranteed regardless of a computing ability of a wiretapper. Forexample, to generate a shared key efficiently, it is necessary to removean error of data that is caused when the data is transmitted through atransmission path. Thus, according to the present embodiment, quantumkey distribution for performing error correction using a Low-DensityParity-Check (LDPC) code, which is known as having an extremely highproperty, is explained.

FIG. 1 is a block diagram of a structure of a quantum cryptograph system(communication apparatuses on a transmission side and a reception side)according to the present invention. This quantum cryptograph systemincludes the communication apparatus on the transmission side, which hasa function of transmitting information m_(a), and the communicationapparatus on the reception side, which has a function of receiving theinformation m_(a) affected by noise and the like on a transmission path,that is, information m_(b).

The communication apparatus on the transmission side includes anencryption-key generating unit 1, which transmits the information m_(a)through a quantum communication path, transmits a syndrome S_(A)thorough a public communication path, and generates an encryption key (acommon key common to the transmission side and the reception side) basedon the transmitted information, and a communication unit 2 in which atransmission/reception unit 22 transmits and receives data, which isencrypted by an encryption unit 21 based on the encryption key, throughthe public communication path. The communication apparatus on thereception side includes an encryption-key generating unit 3, whichreceives the information m_(b) through the quantum communication path,receives the syndrome S_(A) through the public communication path, andgenerates an encryption key (a common key common to the reception sideand the transmission side) based on information on the receivedinformation, and a communication unit 4 in which atransmission/reception unit 41 transmits and receives data, which isencrypted by an encryption unit 42 based on the encryption key, throughthe public communication path.

The communication apparatus on the transmission side transmits lightpolarized in a predetermined direction using a polarization filter tothe communication apparatus on the reception side as the informationm_(a) to be transmitted on the quantum communication path. On the otherhand, the communication apparatus on the reception side identifies lightpolarized in the horizontal direction (0°), light polarized in thevertical direction (90°), light polarized in the 45° direction, andlight polarized in the 135° direction on the quantum communication pathusing a measuring device capable of identifying polarized light in thehorizontal and vertical directions (0° and 90°) and a measuring devicecapable of identifying polarized light in the oblique directions (45°and 135°). Not that the respective measuring devices can recognize lightpolarized in the defined directions correctly. However, for example,when the measuring device, which is capable of identifying polarizedlight in the horizontal and vertical directions (0° and 90°), measureslight polarized in an oblique direction, the measuring device identifieslight polarized in the horizontal direction and light polarized in thevertical direction at random at a probability of 50 percent,respectively. In other words, when the measuring device that does notcope with identifiable polarization directions is used, it is impossibleto identify a direction in which light is polarized even if a result ofmeasurement by the measuring device is analyzed.

Operations of the respective communication apparatuses in the quantumcryptograph system, that is, quantum key distribution according to thepresent embodiment is explained in detail below. FIGS. 2 and 3 areflowcharts of an outline of the quantum key distribution according tothe present embodiment. Specifically, FIG. 2 is a flowchart ofprocessing in the communication apparatus on the transmission side; andFIG. 3 is a flowchart of processing in the communication apparatus onthe reception side.

First, in the communication apparatus on the transmission side and thecommunication apparatus on the reception side, parity-check-matrixgenerating units 10 and 30 calculate a parity check matrix H (a matrixof n×k) of a specific linear code, calculate a generator matrix G (amatrix of (n−k)×n) satisfying a condition “HG=0” from this parity checkmatrix H, and calculate an inverse matrix G⁻¹ (a matrix of n×(n−k)) of Gsatisfying a condition G⁻¹·G=I (unit matrix) (step S1 and step S11). Inan explanation of the quantum key distribution according to the presentembodiment, an LDPC code having an excellent property extremely close tothe Shannon limit is used as the specific linear code. Note that,although the LDPC code is used as an error correction system, thepresent invention is not limited to this and, for example, other linearcodes like a turbo code may be used. In addition, for example, if errorcorrection information (a syndrome) described later is an errorcorrection protocol represented by a product Hm_(A) of an appropriatematrix H and a transmission data m_(A) (a part of the information m_(a))(e.g., an error correction protocol equivalent to the “quantum keydistribution capable of correcting a data error on a transmission path”explained in the conventional technology), that is, if linearity of theerror correction information and the transmission data m_(A) is secured,the matrix H may be used as the parity check matrix.

A method of forming an LDPC code in the parity-check-matrix generatingunit 10, specifically, a method of forming an “Irregular-LDPC code”based on the finite affine geometry (details of step S1 in FIG. 2) isexplained. FIG. 4 is a flowchart of a method of forming an“Irregular-LDPC code” based on the finite affine geometry. Note that,since the parity-check-matrix generating unit 30 operates in the samemanner as the parity-check-matrix generating unit 10, an explanation ofthe parity-check-matrix generating unit 30 is omitted. Parity checkmatrix generation processing according to the present embodiment may be,for example, executed by the parity-check-matrix generating unit 10 ormay be executed by another control apparatus (a computer, etc.) outsidea communication apparatus depending on parameters to be set. When theparity check matrix generation processing according to the presentembodiment is executed outside the communication apparatus, a generatedparity check matrix is stored in the communication apparatus. Inexplanations of the following embodiments, the processing is executed bythe parity-check-matrix generating unit 10.

The parity-check-matrix generating unit 10 selects a limited affinegeometry code AG (2, 2^(s)) forming a base of a check matrix for an“Irregular-LDPC code” (step S21 in FIG. 4). A row weight and a columnweight are 2^(s), respectively. FIG. 5 is a diagram of, for example, amatrix of a limited affine geometry code AG (2, 2²) (blanks represent0).

The parity-check-matrix generating unit 10 determines a maximum value r₁(2<r₁≦2^(s)) of the column weight (step S22). Then, theparity-check-matrix generating unit 10 determines a coding rate (onesyndrome length/a length of a key) (step S22).

The parity-check-matrix generating unit 10 provisionally calculates acolumn weight distribution λ(γ_(i)) and a row weight distribution ρ_(u)using optimization by the Gaussian Approximation (step S23). Note that agenerating function ρ(x) for a row weight distribution is set asρ(x)=ρ_(u)x^(u−1)+(1−ρ_(u))x^(u). A weight u is an integer equal to orlarger than 2 and ρ_(u) represents a ratio of the weight u in a row.

The parity-check-matrix generating unit 10 selects a row weight {u, u+1}that can be formed by division of a row of the limited affine geometryand calculates a division coefficient {b_(u), b_(u+1)} satisfyingEquation (1) below (step S24). Note that b_(u) and b_(u+1) are assumedto be non-negative integers.

b _(u) +b _(u+1)(u+1)=2^(s)  (1)

Specifically, the parity-check-matrix generating unit 10 calculatesb_(u) from Equation (2) below and calculates b_(u+1) form Equation (1)above.

$\begin{matrix}{\arg \cdot {\min\limits_{bu}{{\phi_{u} - \frac{u \times b_{u}}{2^{s}}}}}} & (2)\end{matrix}$

The parity-check-matrix generating unit 10 calculates ratios ρ_(u)′ andρ_(u+1)′ of the row weight updated by the parameters determined u, u+1,b_(u), and b_(u+1) according to Equation (3) (step S25).

$\begin{matrix}{{\phi_{u}^{\prime} = \frac{u \times b_{u}}{2^{s}}}{\phi_{u + 1}^{\prime} = \frac{\left( {u + 1} \right) \times b_{u + 1}}{2^{s}}}} & (3)\end{matrix}$

The parity-check-matrix generating unit 10 provisionally calculates acolumn weight distribution λ(γ_(i)) using optimization by the GaussianApproximation and with u, u+1, ρ_(u)′, and ρ_(u+1)′ calculated above asfixed parameters (step S26). Note that the weight γ_(i) is an integerequal to or larger than 2 and λ(γ_(i)) represents a ratio of the weightγ_(i) in the column. The parity-check-matrix generating unit 10 excludesa weight with the number of columns equal to or smaller than 1(λ(γ_(i))≦γ_(i)/w_(t), i is a positive integer) from column weightcandidates. w_(t) represents a total number of 1 included in AG(2,2^(s)).

The parity-check-matrix generating unit 10 selects a set of columnweight candidates {γ₁, γ₂, . . . , γ₁ (γ₁≦2^(s))} that satisfy theweight distribution calculated above and satisfy Equation (4) below(step S27). When a column weight γ_(i) not satisfying Equation (4) ispresent, the column weight is excluded from the candidates.

$\begin{matrix}{{\begin{bmatrix}a_{1,1} & a_{1,2} & \ldots & a_{1,l} & \; \\a_{2,1} & a_{2,2} & \ldots & a_{1,l} & \; \\\vdots & \; & \ldots & \; & \vdots\end{bmatrix}\begin{bmatrix}\gamma_{1} \\\gamma_{2} \\\vdots \\\gamma_{l}\end{bmatrix}} = \begin{bmatrix}2^{s} \\2^{s} \\\vdots \\2^{s}\end{bmatrix}} & (4)\end{matrix}$

Note that the respective a's represent non-negative integer coefficientswith respect to {γ₁, γ₂, . . . , γ₁} for forming the column weight2^(s), i and j are positive integers, γ_(i) represents a column weight,and γ₁ represents a maximum column weight.

The parity-check-matrix generating unit 10 calculates a column weightdistribution λ(γ_(i)) and a row weight distribution ρ_(u) usingoptimization by the Gaussian Approximation and with u, u+1, ρ_(u)′,ρ_(u+1)′, and {γ₁, γ₂, . . . , γ₁} calculated above as fixed parameters(step S28).

Before performing division processing, the parity-check-matrixgenerating unit 10 adjusts the column weight distribution λ(γ_(i)) andthe row weight distribution ρ_(u) (step S29). Note that the respectiveweight distributions after the adjustment are set to values as close aspossible to values calculated by the Gaussian Approximation. FIG. 5 is atable of final column weight distribution λ(γ_(i)) and row weightdistribution ρ_(u) at step S29. n(γ_(i)) represents a total number ofcolumns by a unit of weight and n_(u) represents a total number of rowsby a unit of weight.

Finally, the parity-check-matrix generating unit 10 divides rows andcolumns in the finite affine geometry (step S30) to generate an n×kparity check matrix H. In processing for dividing a finite affinegeometric code in the present invention, “1” is extracted from therespective rows or the respective columns at random rather thanregularly dividing the rows and the columns. Any method may be used forthis extraction processing as long as randomness is maintained.

In this way, according to the present embodiment, the parity checkmatrix generating can be generated the check matrix H (n×k) for an“Irregular-LDPC code”, which is definite and having a stablecharacteristic, by executing, the method of forming a check matrix foran “Irregular-LDPC code” based on the limited affine geometry (step S1in FIG. 2).

After the parity check matrix H (an n×k matrix) and the generatormatrixes G and G⁻¹ (G⁻¹*G=I: unit matrix) are generated as describedabove, it is likely that the communication apparatus on the receptionside cannot accurately estimate transmission data m_(A), in particular,probability of occurrence of misjudgment may be high because of thepresence of a wiretapper. Thus, in the communication apparatus on thetransmission side, a cyclic-code generating unit 16 generates a cycliccode CRC (Cyclic Redundancy Check) for error detection to reduce theprobability of misjudgment as much as possible (step S2 in FIG. 2). Thecyclic-code generating unit 16 generates a cyclic code CRC (an n×dmatrix) separately from the parity check matrix H generated as describedabove.

A method of forming the cyclic code CRC (an n×d matrix) in thecyclic-code generating unit 16 (details of step S2 in FIG. 2) isexplained.

For example, when a key length n is set to 7, a maximum order d at thetime when a primitive polynomial gx on GF(2) is in a polynomialrepresentation is set to 3, and a third-order primitive polynomial gx iscalculated as x³+x+1 (vector representation: [1011]) (when an n×d CRC isformed), a check polynomial x^(d−1)H(x⁻¹) of the CRC can be representedas indicated by Equation (5) below. A polynomial H(x) is calculated as(x^(n)+1)/gx.

$\begin{matrix}\begin{matrix}\begin{matrix}{{H(x)} = {\left( {x^{n} + 1} \right)/{gx}}} \\{= {\left( {x^{7} + 1} \right)/\left( {x^{3} + x + 1} \right)}} \\{= {x^{4} + x^{2} + x + {1\mspace{14mu} \left( {{vector}\mspace{14mu} {representation}{\text{:}\mspace{11mu}\lbrack 10111\rbrack}} \right)}}}\end{matrix} \\\begin{matrix}{{H\left( x^{- 1} \right)} = {x^{- 4} + x^{- 2} + x^{- 1} + 1}} \\{= {x^{4} + x^{3} + x^{2} + {1\mspace{14mu} \left( {{vector}\mspace{14mu} {representation}{\text{:}\mspace{14mu}\lbrack 11101\rbrack}} \right)}}}\end{matrix} \\\begin{matrix}{{H^{d - 1}{H\left( x^{- 1} \right)}} = {x^{2} \times \left( {x^{4} + x^{3} + x^{2} + 1} \right)}} \\{= {x^{6} + x^{5} + x^{4} + {x^{2}\mspace{14mu} \left( {{vector}\mspace{14mu} {representation}{\text{:}\mspace{14mu}\lbrack 1110100\rbrack}} \right)}}}\end{matrix}\end{matrix} & (5)\end{matrix}$

Therefore, the cyclic code CRC (an n×d matrix) is an n×d matrix in FIG.7 obtained by cyclically shifting (d=3) the vector representation[1110100] of the check polynomial x^(d−1)H(x⁻¹) of the CRC. FIG. 7 is adiagram of an example of the cyclic code CRC (an n×d matrix).

After the cyclic code CRC (an n×k matrix) is generated as describedabove, in the communication apparatus on the transmission side, arandom-number generating unit 11 generates a random number sequencem_(a) (a sequence of 1 and 0: transmission data) and determinestransmission codes (+: a code corresponding to a measuring devicecapable of identifying light deflected in the horizontal and verticaldirections, x: a code corresponding to a measuring device capable ofidentifying light polarized in an oblique direction) at random (step S3in FIG. 2). On the other hand, in the apparatus on the reception side, arandom-number generating unit 31 determines reception codes (+: a codecorresponding to the measuring device capable of identifying lightpolarized in the horizontal and vertical directions, x: a codecorresponding to the measuring device capable of identifying lightpolarized in an oblique direction) at random (step S12 in FIG. 3).

Subsequently, in the communication apparatus on the transmission side, aphoton generating unit 12 transmits a photon in a polarizing directionautomatically determined according to a combination of the random numbersequence m_(a) and the transmission codes (step S4). For example, thephoton generating unit 12 transmits light polarized in the horizontaldirection according to a combination of 0 and +, light polarized in thevertical direction according to a combination of 1 and +, lightpolarized in the 45° direction according to a combination of 0 and x,and light polarized in the 135° direction according to a combination of1 and x to a quantum communication path, respectively (transmissionsignals).

A photon receiving unit 32 of the communication apparatus on thereception side, which has received light signals of the photongenerating unit 12, measures light on the photon communication path(reception signals). The photon receiving unit 32 obtains reception datam_(b) automatically determined according to a combination of a receptioncode and a reception signal (step S13). The photon receiving unit 32obtains, as the reception data m_(b), 0, 1, 0, and 0 according to acombination of the light polarized in the horizontal direction and +, acombination of the light polarized in the vertical direction and +, acombination of the light polarized in the 45° direction and x, and acombination of the light polarized in the 135° direction and x,respectively. The reception data m_(b) is assumed to be a hard decisionvalue with probability information.

In the communication apparatus on the reception side, to check whetherthe measurement is performed by a correct measuring device, therandom-number generating unit 31 transmits a reception code to thecommunication apparatus on the transmission side via a publiccommunication path (step S13). The communication apparatus on thetransmission side, which has received the reception code, checks whetherthe measurement is performed by a correct measuring device and transmitsa result of the check to the communication apparatus on the receptionside via the public communication path (step S4). The communicationapparatus on the reception side and the communication apparatus on thetransmission side keep only data corresponding to a reception signalreceived by the correct measuring device and discard the other data(steps S4 and S13). Thereafter, the communication apparatus on thereception side and the communication apparatus on the transmission sidestore the data kept in memories or the like, read out n bits in orderfrom the top of the data, and set the n bits of data as formaltransmission data m_(A) and formal reception data m_(B) (m_(B) is m_(A)affected by noise and the like on the transmission path: m_(B)=m_(A)+e(noise and the like)). In other words, the communication apparatus onthe reception side and the communication apparatus on the transmissionside read out the next n bits as required and generate the transmissiondata m_(A) and the reception data m_(B). According to the presentembodiment, the communication apparatus on the reception side and thecommunication apparatus on the transmission side can share bit positionsof the data kept. Like the reception data m_(b), the reception datam_(B) is a hard decision value with probability information.

In the communication apparatus on the transmission side, a syndromegenerating unit 14 connects the parity check row H (an n×k matrix) andthe cyclic code CRC (an n×d matrix), calculates a syndrome S_(A)=H×m_(A)and a cyclic code syndrome S_(C)=CRC×m_(A) of m_(A) using a matrix afterconnection and transmission data m_(A), and notifies the communicationapparatus on the reception side of a result of the calculation via apublic-communication-path communication unit 13 and the publiccommunication path (step S5). FIG. 8 is a schematic of a method ofgenerating the syndrome S_(A) and the cyclic code syndrome S_(C) ofm_(A). At this stage, it is likely that the syndrome S_(A) (informationfor k bits) and the cyclic code syndrome S_(C) (information for d bits)of m_(A) are learnt by a wiretapper. On the other hand, in thecommunication apparatus on the reception side, apublic-communication-path communication unit 34 receives the syndromeS_(A) and the cyclic code syndrome S_(C) of m_(A) and notifies asyndrome decoding unit 33 of the syndrome S_(A) and the cyclic codesyndrome S_(C) (step S14).

The syndrome decoding unit 33 estimates the original transmission datam_(A) using a syndrome decoding method according to the presentembodiment (step S15). Specifically, the syndrome decoding unit 33generates an estimated word m_(C) by correcting an error of the harddecision value m_(B) with probability information due to noise and thelike and, if there is no error in the estimated word m_(C), judges thatthe estimated word m_(C) is the original transmission data m_(A).According to the present embodiment, the syndrome decoding unit 33estimates m_(C) satisfying “S_(A)=Hm_(C)” from the hard decision valuem_(B) with probability information and, if there is no error in m_(C) asa result of the estimation, sets m_(C) as the shared information m_(A).The syndrome decoding method according to the present embodiment isexplained below in detail.

FIG. 9 is a flowchart of the syndrome decoding method according to thepresent embodiment. As described above, when the binary n (columns)×k(rows) check matrix H is assumed as described above, an elements in ani-th column (1≦i≦n) and a j-th row (1≦i≦k) is represented as H_(ij). Thereception data m_(B) is set as (m_(B1), m_(B2), . . . , m_(Bn)) and theestimated word (a hard decision value) m_(C) is set as (m_(C1), m_(C2),. . . , m_(Cn)). The syndrome S_(A) of m_(A) is set as “S_(A1), S_(A2),. . . , S_(Ak)). As a communication path, a non-storage communicationpath described by conditional probability P(m_(B)|m_(C)=m_(A)) isassumed.

First, the syndrome decoding unit 33 sets, as initial setting, priorvalues of all combinations (i, j) of rows and columns satisfyingH_(ij)=1 as q_(ij)(0)=½ and q_(ij)(1)=½. q_(ij)(0) representsprobability that H_(ij) is “0” and q_(ij)(1) represents probability thatH_(ij) is “1”. The syndrome decoding unit 33 sets a counter value 1indicating the number of times of iteration of decoding as 1 (iteration:once) and further sets a maximum number of times of iteration 1 _(max)(step S31).

Subsequently, the syndrome decoding unit 33 updates external valuesr_(ij)(0) and r_(ij)(1) for all the combinations (i, j) of rows andcolumns satisfying H_(ij)=1 in an order of j=1, 2, . . . , k (step S32).According to the present embodiment, for example, when a j-th (1≦j≦k)syndrome S_(Aj) is “0”, the syndrome decoding unit 33 updates theexternal values r_(ij)(0) and r_(ij)(1) using update Equations (6) and(7).

r _(ir)(0)=K×Σ(Πq _(i′j)(m _(Ci′))P(m _(Bi′) |m _(Ci′)))

M_(Ci′)ε0,1

ΣM_(Ci′)=0

i′εA(i)\j  (6)

r _(ir)(1)=K×Σ(Πq _(i′j)(m _(Ci′))P(m _(Bi′) |m _(Ci′)))

M_(Ci′)ε0,1

ΣM_(Ci′)=1

i′εA(i)\j  (7)

On the other hand, when the j-th (1≦j≦k) syndrome S_(Aj) is “1”, thesyndrome decoding unit 33 updates the external values r_(ij)(0) andr_(ij)(1) using update Equations (8) and (9).

r _(ir)(0)=K×Σ(Πq _(i′j)(m _(Ci′))P(m _(Bi′) |m _(Ci′)))

M_(Ci′)ε0,1

ΣM_(Ci′)=1

i′εB(j)\i  (8)

r _(ir)(1)=K×Σ(Πq _(i′j)(m _(Ci′))P(m _(Bi′) |m _(Ci′)))

M_(Ci′)ε0,1

ΣM_(Ci′)=0

i′εB(j)\i  (9)

K in the Equations is assumed to be a value defined to establish (avalue for normalizing) “r_(ij)(0)+r_(ij)(1)=1”. P(m_(B)|m_(C)) in theEquations represents conditional probability, that is, probability ofthe reception data m_(B) at the time when the estimated word m_(C) is“0” OR “1”. A subset A(i) in the Equations represents a set of rowindexes with “1” set in the i-th column of the check matrix H. A subsetB(j) represents a set of column indexes with “1” set in the j-th row ofthe check matrix H.

Specifically describing the update processing, for example, when allcombinations (i, 1) of columns and rows satisfying S_(Aj)=0, j=1, andH_(i1)=1 are (3, 1), (4, 1), and (5, 1), Equations (6) and (7) areapplied and external values r₃₁(0) and r₃₁(1) are updated as indicatedby Equations (10) and (11). In other words, the external values r₃₁(0)and r₃₁(1) are updated using H41 and H51 except H31. Probability that avalue in a third column and a first row of the check matrix H is “0” andprobability that the value is “1” are calculated, respectively.

r ₃₁(0)=K×{q ₄₁(m _(C4)=0)P(m _(B4) |m _(C4)=0)×q ₅₁(m _(C5)=0)P(m _(B5)|m _(C5)=0)+q ₄₁(m _(C4)=1)P(m _(B4) |m _(C4)=1)×q ₅₁(m _(C5)=1)P(m_(B5) |m _(C5)=1)}  (10)

r ₃₁(0)=K×{q ₄₁(m _(C4)=1)P(m _(B4) |m _(C4)=1)×q ₅₁(m _(C5)=0)P(m _(B5)|m _(C5)=0)+q ₄₁(m _(C4)=0)P(m _(B4) |m _(C4)=0)×q ₅₁(m _(C5)=1)P(m_(B5) |m _(C5)=1)}  (11)

Subsequently, the syndrome decoding unit 33 updates the prior valuesq_(ij)(0) and q_(ij)(1) for all the combinations (i, j) of rows andcolumns satisfying H_(ij)=1 in an order of i=1, 2, . . . , n (step S33).This update processing can be represented by Equations (12) and (13).

q _(ij)(0)=K′×Πr _(ij′)(0)

j′=A(i)\j  (12)

q _(ij)(1)=K′×Πr _(ij′)(1)

j′=A(i)\j  (13)

K′ in the Equations is assumed to be a value defined to establish (avalue for normalizing) “q_(ij)(0)+q_(ij)(1)=1”.

Specifically describing the update processing, for example, when allcombinations (3, j) of columns and rows satisfying i=1 and H_(i1)=1 are(3, 1), (3, 2), and (3, 3), Equations (12) and (13) are applied andprior values q₃₁(0) and q₃₁(1) are updated as indicated by Equations(14) and (15). In other words, the prior values q₃₁(0) and q₃₁(1) areupdated using H31 and H33 except H31.

q ₃₁(0)=K′×{r ₃₂(0)×r ₃₃(0)}  (14)

q ₃₁(1)=K′×{r ₃₂(1)×r ₃₃(1)}  (15)

Subsequently, the syndrome decoding unit 33 calculates posteriorprobability (conditional probability×prior values) Q_(i)(0) and Q_(i)(1)and calculates a temporary estimated word m_(C)′=(m_(C1)′, m_(C2)′, . .. , m_(Cn)′) (step S34). In other words, the syndrome decoding unit 33obtains a temporary estimated word in Equation (18) based on results ofcalculation of Equations (16) and (17). The syndrome decoding unit 33performs judgment processing every time iteration is performed once.

$\begin{matrix}{{Q_{i}(0)} = {K^{''}{P\left( {{m_{Bi}m_{Ci}} = 0} \right)}{\prod{r_{{ij},}(0)}}}} & (16) \\{j^{\prime} \in {A(i)}} & \; \\{{{Q_{i}(1)} = {K^{''} \times {P\left( {{m_{Bi}m_{Ci}} = 1} \right)}{\prod r_{ij}}}},(1)} & (17) \\{j^{\prime} \in {A(i)}} & \; \\{{m_{Ci}\prime} = \left\{ \begin{matrix}{{0:{{{if}\mspace{14mu} {Q_{i}(0)}} \geq {Q_{i}(1)}}}\mspace{14mu}} \\{1:{{{if}\mspace{14mu} {Q_{i}(0)}} < {Q_{i}(1)}}}\end{matrix} \right.} & (18)\end{matrix}$

K″ in the Equations is assumed to be a value defined to establish (avalue for normalizing) “Q_(i)(0)+Q_(i)(1)=1”. Conditional probabilityP(m_(B)|m_(C)=0) is defined as indicated by Equations (19) and (20) andp represents a bit error rate.

$\begin{matrix}{{P\left( {{m_{{Bi}^{\prime}}m_{{Ci}^{\prime}}} = 0} \right)} = \left\{ \begin{matrix}{1 - {p\left( {m_{{Bi}^{\prime}} = 0} \right)}} \\{p\left( {m_{{Bi}^{\prime}} = 1} \right)}\end{matrix} \right.} & (19) \\{{P\left( {{m_{{Bi}^{\prime}}m_{{Ci}^{\prime}}} = 1} \right)} = \left\{ \begin{matrix}{p\left( {m_{{Bi}^{\prime}} = 0} \right)} \\{1 - {p\left( {m_{{Bi}^{\prime}} = 1} \right)}}\end{matrix} \right.} & (20)\end{matrix}$

The syndrome decoding unit 33 checks whether the temporary estimatedword m_(C)′ can be the transmission data m_(A) (step S35). For example,if m_(C)′=(m_(C1)′, m_(C2)′, . . . , m_(Cn)′) satisfies a condition“m_(C)′×H^(T)=S_(A)” (“Yes” at step S36), the syndrome decoding unit 33outputs m_(C)′ as the estimated word m_(C) (m_(C1), m_(C2), . . . ,m_(Cn)).

On the other hand, when the condition is not satisfied and 1<1_(max)(“No” at step S36), the syndrome decoding unit 33 increments the countervalue 1 and executes the processing at step S32 again using the updatedvalue. Thereafter, the syndrome decoding unit 33 repeatedly executes theprocessing at steps S32 to S36 using updated values until the conditionis satisfied (in the range of 1<1_(max)).

The syndrome decoding unit 33 compares (EXOR) the estimated wordm_(C)(m_(C1), m_(C2), . . . , m_(Cn)) and reception data m_(B)=(m_(B1),m_(B2), . . . , m_(Bn)) and outputs an error vector (corresponding to eof the reception data m_(B)=m_(A)+e (noise and the like)) (step S37).

It is likely that error judgment is caused by presence of a plurality ofestimated words m_(C) satisfying “H×m_(C)=S_(A)” (when H and S_(A) arefixed, there are 2^(n−k) entropies of m_(C)) and the transmission datam_(A) cannot be correctly estimated (the transmission data m_(A) and theestimated word m_(C) judged to be correct do not coincide with eachother). Thus, the syndrome decoding unit 33 performs error detection forthe estimated word m_(C) (step S38). The syndrome decoding unit 33compares the cyclic code syndrome S_(C)=CRC×m_(A) received at step S14and an estimated cyclic code syndrome S_(C)′ in Equation (21). If S_(C)is equal to S_(C)′, the syndrome decoding unit 33 judges that there isno error in the estimated word m_(C), outputs the estimated wordm_(C)=(m_(C1), m_(C2), . . . , m_(Cn)) as the original transmission datam_(A)=(m_(A1), m_(A2), . . . , m_(An)), and ends an algorithm shown inFIG. 9. On the other hand, if S_(C) is not equal to S_(C)′, the syndromedecoding unit 33 judges that there is an error in the estimated wordm_(C) and discards the estimated word m_(C).

S _(C) ′=rem(m _(C) /gx)  (21)

In the Equation, rem represents a remainder of the division m_(C)/gx onGF(2).

In this way, in the syndrome decoding method adopted in the quantum keydistribution according to the present embodiment, “exchange of paritiesperformed an enormous number of times (binary search) for specifying anerror bit” that occurs in error correction described in the conventionaltechnology is eliminated. Error correction is performed using paritycheck matrixes for an LDPC code having an extremely high characteristic(error correction ability). This makes it possible to generate a commonkey, security of which is highly guaranteed, while correcting a dataerror on a transmission path in a short time.

According to the present embodiment, the cyclic code syndrome S_(C)generated by the communication apparatus on the transmission side andthe estimated cyclic code syndrome S_(C)′ generated based on theestimated word m_(C) are compared to perform error detection for theestimated word m_(C). This makes it possible to substantially reduceerror judgment probability for the estimated word m_(C) judged from thereception data m_(B). In other words, it is possible to accuratelyestimate the original transmission data m_(A).

According to the present embodiment, the reception data m_(B) and m_(b)are hard decision values with probability information. However, thereception data m_(B) and m_(b) may be soft decision values.

After the transmission data m_(A) is estimated as described above,finally, in the communication apparatus on the reception side, acommon-key generating unit 35 discards a part of the shared information(m_(A)) according to error correction information laid open to thepublic (the information for k bits that is likely to have beenwiretapped: S_(A)) and generates an encryption key r having an amount ofinformation for b−k bits (step S16 in FIG. 3). In other words, thecommon-key generating unit 35 generates the encryption key r accordingto Equation (22) below using G⁻¹(n×(n−k)) calculated earlier. Thecommunication apparatus on the reception side uses the encryption key ras a common key to be shared with the communication apparatus on thetransmission side.

r=G⁻¹m_(A)  (22)

On the other hand, in the communication apparatus on the transmissionside, a common-key generating unit 15 discards a part of the sharedinformation (m_(A)) according to error correction information laid opento the public (the information for k bits that is likely to have beenwiretapped: S_(A)) and generates an encryption key r having an amount ofinformation for n−k bits (step S6 in FIG. 2). In other words, thecommon-key generating unit 15 generates the encryption key r accordingto Equation (22) above using G⁻¹(n×(n−k)) calculated earlier (step S6).The communication apparatus on the transmission side uses the encryptionkey r as a common key to be shared with the communication apparatus onthe reception side.

Moreover, according to the present embodiment, the common key may bepermuted using a regular random matrix R. This makes it possible toreinforce confidentiality. Specifically, first, the communicationapparatus on the transmission side generates the regular random matrix R(an (n−k)×(n−k) matrix) and notifies the communication apparatus on thereception side of the regular random matrix R via the publiccommunication path. This processing may be performed in thecommunication apparatus on the reception side. Thereafter, thecommunication apparatuses on the transmission side and the receptionside generate the encryption keys r according to Equation (23) usingG⁻¹(n×(n−k)) calculated earlier.

r=RG⁻¹m_(A)  (23)

As described above, according to the present embodiment, a data error ofshared information is corrected using parity check matrixes for an“Irregular-LDPC code”, which are definite and have stablecharacteristics, error detection for shared information (estimated word)is performed using the cyclic code CRC, and, thereafter, a part of theshared information is discarded according to error correctioninformation laid open to the public. Consequently, exchange of paritiesperformed an enormous number of times for specifying and correcting anerror bit is eliminated and error correction control is performed simplyby transmitting the error correction information. Thus, it is possibleto substantially reduce time required for error correction processing.

Furthermore, according to the present embodiment, the communicationapparatus on the reception side performs error detection for anestimated word using error detection information generated by thecommunication apparatus on the transmission side. This makes it possibleto substantially reduce misjudgment probability for the estimated wordand accurately estimate original transmission data.

Moreover, according to the present embodiment, since a part of sharedinformation is discarded according to information laid open to thepublic, it is possible to generate a common key, security of which ishighly guaranteed.

Furthermore, according to the present embodiment, the inverse matrix G⁻¹(n×(n−k)) is generated from the generator matrix G ((n−k)×n) satisfyingHG=0 (G⁻¹*G=I (unit matrix)) and a part (k) of shared information (n) isdiscarded using the inverse matrix G⁻¹ to generate the encryption key rhaving an amount of information for n−k bits. However, the presentinvention is not limited to this. A part of the shared information (n)may be discarded to generate an encryption key r having an amount ofinformation for m (m≦n−k) bits. Specifically, a map F(·) for mapping ann-dimensional vector to an m-dimensional vector is assumed. To guaranteesecurity of a common key, F(·) needs to satisfy a condition that thenumber of elements of a reverse image (F·G)⁻¹(v) in a combined map F·Gof the map F and the generator matrix G is fixed (2^(n−k−m)) withrespect to an arbitrary m-dimensional vector v regardless of v. In thiscase, the common key r is F(m_(A)).

Moreover, according to the present embodiment, in the processing atsteps S6 and S16, a part of shared information may be discarded using acharacteristic of the parity check matrix H without using the generatormatrix G⁻¹. Specifically, first, the common-key generating units 15 and35 apply random permutation to rows of the parity check matrix Hgenerated at steps S1 and S11. Then, the common-key generating units 15and 35 exchange information on bits to be discarded between thecommunication apparatuses via the public communication path. Forexample, the common-key generating units 15 and 35 select specific “1”from a first column of an original finite affine geometry AG (2, 2^(s))and exchange a position of “1” via the public communication path.Thereafter, the common-key generating units 15 and 35 specify, from theparity check matrix after permutation, a position after divisioncorresponding to “1” and a position after division corresponding to “1”in respective columns cyclically shifted, discard bits in the sharedinformation m_(A) corresponding to the positions specified, and set theremaining data as the encryption key r. This makes it possible toeliminate complicated arithmetic processing for the generator matrixes Gand G⁻¹.

INDUSTRIAL APPLICABILITY

As described above, the quantum key distribution method and thecommunication apparatus according to the present invention are useful asa technology for generating a common key, security of which is highlyguaranteed. In particular, the quantum key distribution method and thecommunication apparatus are suitable for communication on a transmissionpath on which a wiretapper is likely to be present.

1-7. (canceled)
 8. A quantum-key distributing method for a quantumcryptographic system including a transmission-side communicationapparatus that transmits a random number sequence forming a basis of anencryption key in a predetermined quantum state on a quantumcommunication path and a reception-side communication apparatus thatmeasures a photon on the quantum communication path, the quantum-keydistributing method comprising: transmitting and receiving including thereception-side communication apparatus maintaining reception data withprobability information obtained as a result of measuring a lightdirection with a measuring device capable of correctly identifying thelight direction; and the transmission-side communication apparatusmaintaining transmission data corresponding to the reception data;information notifying including the transmission-side communicationapparatus notifying, via a public communication path, the reception-sidecommunication apparatus of error correction information generated basedon a parity check matrix, of which elements are “0” or “1”, and thetransmission data and error detection information generated based on acyclic code for detecting an error and the transmission data;transmission-data estimating including the reception-side communicationapparatus estimating the transmission data based on a same parity checkmatrix as that of the transmission-side communication apparatus, thereception data with probability information, the error correctioninformation, and the error detection information; and encryption-keygenerating including the transmission-side communication apparatus andthe reception-side communication apparatus discarding a part of thetransmission data according to an amount of opened information andgenerating an encryption key using rest of the transmission data.
 9. Thequantum-key distributing method according to claim 8, wherein thetransmission-data estimating includes setting a prior valuecorresponding to an element “1” in the parity check matrix as initialsetting; executing, row by row, a first process of updating, an externalvalue corresponding to the element “1” in the parity check matrix usinga prior value corresponding to another element “1” in an identical rowand the probability information according to the error correctioninformation; executing, column by column, a second process of updatingthe prior value corresponding to the element “1” in the parity checkmatrix using an external value after the update corresponding to anotherelement “1” in an identical column; calculating posterior probabilitybased on the probability information and the prior value after theupdate and judging a temporary estimated word from the posteriorprobability; and detecting, when the temporary estimated word satisfiesa predetermined condition established between the temporary estimatedword and the parity check matrix, an error for the temporary word usingthe error detection information, judging, if there is no error, that thetemporary estimated word is original transmission data, and repeatedlyexecuting, when the temporary estimated word does not satisfy thepredetermined condition, the first process, the second process, and aprocess of judging the temporary estimated word using the value afterthe update until the condition is satisfied.
 10. The quantum-keydistributing method according to claim 9, wherein the transmission-dataestimating includes comparing the error detection information andestimated error detection information generated using the temporaryestimated word, judging, if the error detection information and theestimated error detection information coincide with each other, thatthere is no error in the temporary estimated word, and judging, if theerror detection information and the estimated error detectioninformation do not coincide with each other, that there is an error inthe temporary estimated word.
 11. A communication apparatus thatconstitutes a quantum cryptographic system in which apparatuses share anencryption key through quantum key distribution, and transmits a randomnumber sequence forming a basis of the encryption key to a quantumcommunication path in a predetermined quantum state, the communicationapparatus comprising: an information notifying unit that notifies, via apublic communication path, the other apparatus of error correctioninformation and error detection information, the error correctioninformation being generated based on transmission data corresponding toreception data of the other apparatus obtained as a result of measuringa light direction with a measuring device capable of correctlyidentifying the light direction and a same parity check matrix as thatof the other apparatus, the error detection information being generatedbased on the transmission data and a cyclic code for detecting an error;and an encryption-key generating unit that discards a part of thetransmission data according to an amount of opened information, andgenerates an encryption key using rest of the transmission data.
 12. Acommunication apparatus that constitutes a quantum cryptographic systemin which apparatuses share an encryption key through quantum keydistribution, and measures a photons, which is a random number sequenceforming a basis of the encryption key, on a quantum communication path,the communication apparatus comprising: a transmission-data estimatingunit that estimates original transmission data based on a parity checkmatrix identical to that of other apparatus that shares the encryptionkey, reception data with probability information obtained by measuring alight direction with a measuring device capable of correctly identifyingthe light direction, and error correction information and errordetection information received from other apparatus via a publiccommunication path; and an encryption-key generating unit that discardsa part of the transmission data according to an amount of openedinformation, and generates an encryption key using rest of thetransmission data.
 13. The communication apparatus according to claim12, wherein the transmission-data estimating unit performs setting aprior value corresponding to an element “1” in the parity check matrixas initial setting, executing, row by row, a first process of updating,an external value corresponding to the element “1” in the parity checkmatrix using a prior value corresponding to another element “1” in anidentical row and the probability information according to the errorcorrection information, executing, column by column, a second process ofupdating the prior value corresponding to the element “1” in the paritycheck matrix using an external value after the update corresponding toanother element “1” in an identical column, calculating posteriorprobability based on the probability information and the prior valueafter the update and judging a temporary estimated word from theposterior probability, and detecting, when the temporary estimated wordsatisfies a predetermined condition established between the temporaryestimated word and the parity check matrix, an error for the temporaryword using the error detection information, judging, if there is noerror, that the temporary estimated word is original transmission data,and repeatedly executing, when the temporary estimated word does notsatisfy the predetermined condition, the first process, the secondprocess, and a process of judging the temporary estimated word using thevalue after the update until the condition is satisfied.
 14. Thecommunication apparatus according to claim 13, wherein thetransmission-data estimating unit performs comparing the error detectioninformation and estimated error detection information generated usingthe temporary estimated word, judging, if the error detectioninformation and the estimated error detection information coincide witheach other, that there is no error in the temporary estimated word, andjudging, if the error detection information and the estimated errordetection information do not coincide with each other, that there is anerror in the temporary estimated word.